b"                       Audit of Capital Planning and\n                         Investment Management\n\n\n\n\n                                   FINAL AUDIT REPORT\n                                     ED-OIG/A07-C0033\n                                      September 2003\n\n\n\n\nOur mission is to promote the efficiency,               U.S. Department of Education\neffectiveness, and integrity of the                       Office of Inspector General\nDepartment\xe2\x80\x99s programs and operations.                    Kansas City, Missouri Office\n\x0c                                        NOTICE\n            Statements that managerial practices need improvements, as well as other\n                         conclusions and recommendations in this report\n          represent the opinions of the Office of Inspector General. Determinations of\ncorrective action to be taken will be made by the appropriate Department of Education officials.\n\n         In accordance with Freedom of Information Act (5 U.S. C. \xc2\xa7 552) reports\n                  issued by the Office of Inspector General are available to\n   members of the press and general public to the extent information contained therein is not\n                              subject to exemptions in the Act.\n\x0c\x0c      Audit of Capital Planning and Investment Management\n\n\n                            Table of Contents\n\n\nExecutive Summary \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa61\n\nAudit Results \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6..\xe2\x80\xa6..3\n\n     Finding 1 - The Department Has Limited Processes to Ensure Investments\n                  Are Consistent With Its Target Architecture\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6.\xe2\x80\xa6....5\n\n     Finding 2 - The Department Has Not Implemented Necessary Processes to\n                  Ensure Project-level Control and Selection \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...7\n\n     Finding 3 - The Department Lacks an Investment Management Practice to\n                  Continually Assess Proposed and Ongoing Projects \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..11\n\nBackground \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...13\n\nObjectives, Scope, and Methodology \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...14\n\nStatement on Management Controls \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.16\n\n\n\n\nED-OIG/AO7-C0033\n\x0c          Audit of Capital Planning and Investment Management\n\n\n                                       Executive Summary\n\n\nWe reviewed the Department of Education\xe2\x80\x99s (Department) information technology (IT) capital\nplanning and investment review process. The objective of our review was to assess the status of\nthe Department\xe2\x80\x99s compliance with the Clinger-Cohen Act1 requirements for capital planning and\ninvestment management. Specifically, we determined whether the Department\xe2\x80\x99s investment\nreview process ensured that 1) IT investment decisions were consistent with the enterprise\narchitecture currently under development; 2) costs and benefits of each investment were fully\nconsidered in determining which projects to fund; and 3) costs and benefits of all IT investments\nwere adequately tracked and considered in determining the mix of projects funded for the\nDepartment\xe2\x80\x99s overall investment portfolio.\n\nThe General Accounting Office\xe2\x80\x99s (GAO) Information Technology Investment Management\n(ITIM) maturity framework2 provides guidance to agencies in implementing the Clinger Cohen\nAct\xe2\x80\x99s requirements for capital planning and investment management. ITIM identifies critical\nprocesses for successful IT investment using a framework of five stages of increasing maturity.3\nWe found that the Department is making progress in developing mature investment management\ncapabilities. Specifically, we found that the Department was at stage two \xe2\x80\x93 defined as building\nthe investment foundation, but is also performing core elements related to stage three \xe2\x80\x93 defined\nas developing a complete investment portfolio.\n\nAlthough the Department is making progress in developing important management capabilities,\nit still has considerable work ahead to fully implement mature and effective processes. We\nfound that the Department did not have adequate investment management processes to ensure\nthat 1) IT investment decisions were consistent with the enterprise architecture currently under\ndevelopment; 2) decision-makers had complete life-cycle information on cost, benefits, schedule,\nand risk (CBSR) to fully consider in determining which projects to fund; and 3) CBSR for all IT\n\n\n1\n  Previously referred to as the Information Technology Management Reform Act of 1996, Division E of Public Law\n104-106, 110 Stat. 679 (1996).\n2\n  Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity,\nExposure Draft (GAO/AIMD-10.1.23), May 2000.\n3\n  GAO defined the five stages of maturity in the process of developing successful IT investment management\ncapabilities: Stage 1 \xe2\x80\x93 creating investment awareness; Stage 2 \xe2\x80\x93 building the investment foundation; Stage 3 \xe2\x80\x93\ndeveloping a complete investment portfolio; Stage 4 \xe2\x80\x93 improving the investment process; and Stage 5 \xe2\x80\x93 leveraging\nIT for strategic outcomes (see pages 4-5 for a more complete description of what each stage entails).\n\nED-OIG/AO7-C0033                                                                                        Page 1\n\x0cinvestments were adequately tracked and considered in determining the mix of projects funded\nfor the Department\xe2\x80\x99s overall investment portfolio.\n\nWe reported, in September 2002, that the Department had not completed a target enterprise\narchitecture (EA).4 Without a completed target architecture the Department\xe2\x80\x99s IT goals may not\nbe explicitly clear to decision-makers and the Department may not have the necessary\ninformation crucial to evaluating IT investments. We found that each of the 47 business cases\nwe reviewed included an EA compatibility score with no explanation of how the score was\ncalculated. None of the business cases included specific information related to the proposals\ncompatibility with the target enterprise architecture. In May 2003, the Department\xe2\x80\x99s Enterprise\nArchitecture Working Group (EAWG) began analyzing all business cases before the Investment\nReview Board (IRB) decides which investments to fund. Given its role, the EAWG is in the best\nposition within the Department to ensure compliance with the enterprise architecture.\n\nIn accordance with GAO\xe2\x80\x99s ITIM framework, the Department has categorized investment\nproposals and established basic characteristics (selection criteria) for evaluating new IT\nproposals. In addition, the Department is using the established criteria in evaluating and\nselecting IT investments. However, the Department does not always ensure that the IT proposals\nhave the most up to date and complete life-cycle cost, benefit, schedule, and risk (CBSR)\ninformation available; and use that information in evaluating competing investments and\ndeciding on which investments to fund both within and between the defined categories. In\naddition, the Department has not implemented processes associated with managing investments\nas a complete portfolio. As a result, the Department\xe2\x80\x99s IRB may not be able to adequately assess\nthe relative merits of investment proposals and make trade-offs among competing options.\n\nThe Department generally concurred with our findings and recommendations and stated that\nimprovements had already been made and incorporated in its most current IT Investment\nManagement (ITIM) process. In addition, the Department\xe2\x80\x99s response indicated that it had\nalready implemented many of the audit\xe2\x80\x99s recommendations, but acknowledged that there was\nstill an opportunity for improvement by ensuring the practices are consistently applied. We have\nincorporated their comments, where appropriate, and provided the Department\xe2\x80\x99s full response as\nan attachment to this report.\n\n\n\n\n4\n    Audit of Enterprise Architecture, Final Audit Report, dated September 30, 2002 (ED-OIG/A07-C0001).\n\nED-OIG/AO7-C0033                                                                                         Page 2\n\x0c         Audit of Capital Planning and Investment Management\n\n\n                                          Audit Results\n\n\nDeveloping an effective investment management capability is a challenging and necessary\nprocess to ensure that information technology investments are selected, controlled, and evaluated\nin a cost-effective and efficient manner, within the context of an overall information technology\nstrategy. We assessed the status of the Department\xe2\x80\x99s compliance with the Clinger-Cohen Act\nrequirements for capital planning and investment management. Specifically, we determined\nwhether the Department\xe2\x80\x99s investment review process ensured that 1) information technology\n(IT) investment decisions were consistent with the enterprise architecture currently under\ndevelopment; 2) costs and benefits of each investment were fully considered in determining\nwhich projects to fund; and 3) costs and benefits of all IT investments were adequately tracked\nand considered in determining the mix of projects funded for the Department\xe2\x80\x99s overall\ninvestment portfolio.\n\nThe Department has made progress in taking specific actions to lay the groundwork for its\ninvestment management. In our review of the business cases, we have analyzed the information\npresented to the IRB in these meetings and found that the information provided and the process\nis improving after each meeting. However, critical elements need to be completed in order for\nthe Department, including Federal Student Aid (FSA), to have mature investment management\ncapabilities in place for acquiring and using systems across the Department in a cost-effective\nand efficient manner.\n\nIn May 2000, GAO issued an Information Technology Investment Management (ITIM) maturity\nframework,5 which identifies critical processes for successful IT investment and organizes these\nprocesses into a framework of increasingly mature stages. ITIM supports the fundamental\nrequirements of the Clinger-Cohen Act, which calls for IT investment and capital planning\nprocesses and IT performance measurement. ITIM is intended to provide a tool for\nimplementing these processes incrementally and effectively; and has been favorably reviewed by\nFederal Chief Information Officers (CIOs) and members of GAO's advisory council on IT\nmanagement.\n\n\n5\n Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity,\nExposure Draft (GAO/AIMD-10.1.23), May 2000.\n\n\nED-OIG/AO7-C0033                                                                                  Page 3\n\x0cITIM is a hierarchical model comprising five different maturity stages. Each stage builds upon\nthe lower stages and represents a step toward achieving both stable and effective IT investment\nmanagement processes. The framework indicates that with the exception of the first stage\xe2\x80\x94\nwhich reflects a general absence of investment management processes\xe2\x80\x94each maturity stage is\ncomposed of critical processes that must be implemented and institutionalized for the\norganization to satisfy the requirements of that stage and be able to advance to the next stage.\nThese critical processes are further broken down into key practices. Key practices are the\nspecific tasks and conditions that must be in place for an organization to effectively implement\nthe necessary critical processes. The following shows the five ITIM stages and a brief\ndescription of each stage (see Appendix I for a more complete description and what steps the\nDepartment has completed in relation to each stage of maturity):\n\n\xe2\x80\xa2     Stage 1: Creating Investment Awareness is characterized by either no plans to\n      develop and use investment management techniques, or plans and actions that do not\n      yet demonstrate an awareness of the value of using them.\n\n\xe2\x80\xa2     Stage 2: Building the Investment Foundation focuses on foundational processes\n      focusing on cost and schedule activities.\n\n\xe2\x80\xa2     Stage 3: Developing a Complete Investment Portfolio is characterized by\n      comprehensive investment portfolio selection and control techniques incorporating\n      benefit and risk criteria linked to mission goals and strategies.\n\n\xe2\x80\xa2     Stage 4: Improving the Investment Process focuses on improving the performance\n      and management of the organization\xe2\x80\x99s IT investment portfolio.\n\n\xe2\x80\xa2     Stage 5: Leveraging IT for Strategic Outcomes is characterized by IT-enabled change\n      management techniques used to strategically shape business outcomes.\n\nIn a January 2001 assessment of the Department\xe2\x80\x99s IT capital planning and investment\nmanagement processes, Booz-Allen and Hamilton, Inc., an independent contractor, concluded\nthat the Department was between stage one and stage two. In updating the contractor\xe2\x80\x99s 2001\nassessment6, we found that the Department is in the process of completing the core elements\nlisted in stage two and has begun working on some elements listed in stage three of GAO\xe2\x80\x99s ITIM\nmaturity framework. The Department has made progress in taking specific actions to lay the\ngroundwork for mature investment management capabilities, but it is lacking some basic\nbuilding blocks as described in the following sections. The Department has not\n\n\n\n6\n    Our update of the 2001 assessment was limited to the scope of our review \xe2\x80\x93 see Appendix I.\n\nED-OIG/AO7-C0033                                                                                 Page 4\n\x0c\xe2\x80\xa2     Completed its development of a functional enterprise architecture (Stage 2);\n\n\xe2\x80\xa2     Implemented processes necessary to ensure project-level control and selection, using up to\n      date and complete life-cycle cost, benefit, schedule, and risk (CBSR) information in\n      evaluating competing investments and deciding on which investments to fund (Stage 2); and\n\n\xe2\x80\xa2     Implemented an investment management practice to continually assess proposed and\n      ongoing projects as an integrated and competing set of investment options (Stage 3).\n\nAddressing these issues, which are discussed in the remainder of the report, is crucial as the\nDepartment continues to develop a mature investment management capability.\n\n\n\nFinding 1 \xe2\x80\x93 The Department Has Limited Processes to Ensure Investments\n           are Consistent with its Target Architecture\n\n\nThe Department has limited investment management processes in place to ensure that investments\nare consistent with the basic concepts of its targeted enterprise architecture (EA). The Office of\nManagement and Budget (OMB) guidelines7 require Federal agencies to develop and implement an\nEA to provide a framework for evolving or maintaining existing and planned information\ntechnology, and for evaluating investments in terms of the entity\xe2\x80\x99s progress toward the desired\noperational and technological environment. An EA is a core element in stage two of GAO\xe2\x80\x99s ITIM\nmaturity framework. The Department does not have a complete, functional EA to guide its\ninvestment activities, which precludes the Department from achieving a stage three maturity level.\n\nAs we reported, in September 2002, the Department has not completed a target EA.8 The\nDepartment provided corrective action plans addressing each of the recommendations in the report\nwith 9/30/03 as its planned completion date for the target architecture and 6/30/04 as its planned\ndate for using the architecture in investment management decisions.\n\nWithout a completed target architecture or an explicitly defined process to use the most current\narchitecture information available, the Department\xe2\x80\x99s IT goals may not be explicitly clear to decision-\nmakers. As a result, the Department may not have the necessary information crucial to evaluating IT\ninvestments and ensuring investments are consistent with the basic concept of its target architecture.\n\n\n7\n    Management of Federal Information Resources, OMB Circular A-130 (November 30, 2000).\n8\n    Audit of Enterprise Architecture, Final Audit Report, dated September 30, 2002 (ED-OIG/A07-C0001).\n\nED-OIG/AO7-C0033                                                                                         Page 5\n\x0cIn our review of 47 business cases9 presented to the IRB, we found that none of the business cases\nincluded specific information related to the proposals compatibility with the target EA. Each of the\ninvestment proposals included a score for EA compatibility, but there was no clear information on\nwhat was used to determine the score. According to the IT Investment Management Team Leader,\nthe Department\xe2\x80\x99s investment process uses the IT Initiative Line of Business Alignment model to\nidentify and note potential redundancies. He stated that they scored IT projects compliance by\nevaluating the mission alignment of the project to the Department's strategic plan goals and\nobjectives. In addition, they looked at the projects consistency with the Department\xe2\x80\x99s product\nsupport plan as a means to gauge compliance with the Department\xe2\x80\x99s technical architecture.\n\nThe Department\xe2\x80\x99s Technology Review Board reviews new IT proposals for technical merit; the\nConfiguration Review Board reviews on-going IT projects; and beginning in May 2003, the\nDepartment\xe2\x80\x99s Enterprise Architecture Working Group (EAWG) analyzes all business cases before\nthey are presented to the IRB for funding decisions (i.e., during the select phase of the investment).\nThe EAWG developed five basic questions, the answers to which should determine the compatibility\nwith the Department\xe2\x80\x99s EA. Those questions relate to whether or not the IT proposal supports the\nimplementation of the Government Paperwork Elimination Act and has been reviewed by the\nTechnology Review Board; related interoperability, security, and scalability issues; the tier of the\nprocess within the architecture and related security, privacy, and risk assessments; determining the\ndata source for the application; and the applications dependency on communication with other\nsystems. The questions do not specifically address the target architecture. However, having the type\nof information provided through the EAWG\xe2\x80\x99s review should be valuable to the IRB in evaluating\ncompeting investment initiatives and making approval and funding decisions. The EAWG is\ncurrently in the process of developing a method for communicating the results of its review of the IT\ninitiatives to the IRB.\n\nAs indicated, the Department has several groups reviewing the technology layer of IT proposals and\ninvestments. However, we found no evidence of reviews for the data layer of the architecture. In\naddition, the Department has not formalized its EA review process for IT investments in written\nprocedures. Without a formalized review process for EA compliance it is not clear where\nresponsibilities of one review group end and another begins, which could permit potential EA\ncompliance problems to slip through undetected. In addition, there is a definite disadvantage to not\nhaving a completed, functional EA to use in making investment decisions, however, the EAWG\nshould be in the best position within the Department to evaluate an initiative\xe2\x80\x99s compliance with the\nEA. We have reviewed the EAWG\xe2\x80\x99s methodology for reviewing the initiatives, as provided in the\n\n\n\n9\n  We reviewed the entire universe of fiscal years 2003 and 2004 business cases presented to the IRB for funding\n(i.e., the select phase of the investment).\n\nED-OIG/AO7-C0033                                                                                           Page 6\n\x0cfive investment questions, and believe that the EAWG review should add value to the Department\xe2\x80\x99s\ninvestment review process.\n\nRecommendations\n\nWe recommend that the Department CIO\n\n1.1    Formalize the Department\xe2\x80\x99s review process for IT investment compliance with its EA\n       through written procedures delineating review responsibilities between groups.\n\nWe also recommend that the EAWG\n\n1.2    Provide a high-level summary of whether the new initiative is supported by the current\n       architecture or whether the architecture or the initiative need to be changed in order to assist\n       the IRB in its evaluation of competing investment initiatives; and\n\n1.3    As the information becomes available on the Department\xe2\x80\x99s target architecture, incorporate it\n       into the review of EA compliance.\n\n\n\nFinding 2 \xe2\x80\x93 The Department Has Not Implemented Necessary Processes to\n           Ensure Project-level Control and Selection\n\n\nAccording to GAO10, the first step toward establishing effective investment management is\nputting in place a foundation of effective project-level control and selection processes. These\nprocesses will allow the Department to identify variances in project costs, schedule, and\nperformance expectations; to take corrective action, if appropriate; and to make informed,\nproject-specific selection decisions \xe2\x80\x93 a core element in stage two of GAO\xe2\x80\x99s maturity framework.\nAlthough the Department has made progress toward establishing such foundational processes,\nkey practices still need to be implemented to ensure that the IRB has the information necessary\nto evaluate IT investment proposals and uses the information available to select between\ncompeting proposals.\n\nAccording to the ITIM framework, IT investment management based on industry best practices\nestablishes a systematic process for investment planning and management, including processes\n\n\n\n\nED-OIG/AO7-C0033                                                                             Page 7\n\x0cfor selecting, controlling, and evaluating investment options to maximize the value of the\ninvestments while minimizing their risks. This process requires the development of life-cycle\ncost, schedule, benefit, and risk estimates and the use of these estimates in comparing the relative\nmerits of competing investment options. Such a process allows decision-makers to select those\ninitiatives that best meet the agency\xe2\x80\x99s strategic goals as detailed in a target enterprise\narchitecture and prioritize the selected initiatives for allocation of IT resources.\n\nIn accordance with IT investment management best practices outlined in GAO\xe2\x80\x99s ITIM\nframework, the Department has categorized investment proposals and established basic\ncharacteristics (selection criteria) for evaluating new IT proposals. In addition, the Department\nis using the established criteria in evaluating and selecting IT investments. However, the\nDepartment does not always 1) ensure that the IT proposals have the most up to date and\ncomplete life-cycle cost, benefit, schedule, and risk (CBSR) information available; and 2) use\nthat information in evaluating competing investments and deciding on which investments to fund\nwithin and between the defined categories.\n\nThe Department did not always develop summary, high-level, life-cycle CBSR estimates for\neach IT investment proposal presented to the IRB for approval. CBSR information provides the\nbasis for evaluating and selecting among competing investment options and provides a baseline\nfor measuring progress/performance. Such information is essential to decision-makers, faced\nwith time and resource constraints.\n\nWe reviewed all 47 business cases for IT investments presented to the Department\xe2\x80\x99s IRB for\napproval for fiscal years (FYs) 2003 and 2004. We found that 24 of the business cases did not\nclearly present the relevant information related to the total life-cycle cost of the proposed\ninvestment. While we generally found relevant cost information for the proposed investment\nwithin the business case documentation provided to the IRB, it required an in-depth review of\nthe documentation and in some cases we could not trace all of the costs throughout the\ndocumentation. For example, we found that in all 24 of these business cases it was not clear\nwhat the total investment costs of the proposal was because the documentation provided\nincluded different amounts, but no reconciliation of the differences.\n\nIn addition, we could not assure that the IT proposals we reviewed included complete life-cycle\ncost information, i.e., all costs related to the initiative. Prior to the April 2002 investment review\nreorganization, FSA and the Department had separate investment review processes and were not\nassuring that all costs related to a project were included in the business case package. For\n\n\n10\n  Information Technology: DLA Needs to Strengthen Its Investment Management Capability (GAO-02-314), March\n2002\n\nED-OIG/AO7-C0033                                                                                   Page 8\n\x0cexample, we found that related project costs funded under separate contracts, such as the costs of\nlife-cycle management planning, were not included as part of the total project costs. We also\nfound that modifications increasing contract costs were funded out of operational budgets and\nnot re-evaluated through the established investment review process. Although the Department\xe2\x80\x99s\nIT Investment Management Team Leader stated that, for at least two years, all program offices\nhave been asked to provide complete CBSR information, including the information on related\ntasks or projects, complete life-cycle information is still a problem. In a briefing on the status of\nEA development, CIO officials acknowledged that IT investment proposals do not include\ncomplete life-cycle cost information, citing such examples as security and Government\nPaperwork Elimination Act (GPEA) associated costs.\n\n\nIn addition, we found no indication within the business case documentation packages reviewed\nthat any CBSR data presented to the IRB was validated. The GAO ITIM framework suggests\nthat someone validate the costs, benefits, schedule, and risks (CBSR) documented in the business\ncase. Further, both the CIO Council guide: \xe2\x80\x9cEvaluating Information Technology Investments\xe2\x80\x9d\nand the OMB \xe2\x80\x9cCapital Programming Guide\xe2\x80\x9d include requirements for validating project risks,\nbenefits, and costs. Although we found a Planning and Investment Review Working Group\n(PIRWG) \xe2\x80\x9cValidation\xe2\x80\x9d, the validation appeared to be a validation to cost information presented\nin other schedules throughout the documentation rather than a validation of the CBSR data.\n\n\nTo validate our findings from our review of IT investments presented to the Department\xe2\x80\x99s IRB\nfor approval for FY 2003 and 2004, we reviewed the business cases submitted in the March 2003\nIRB meeting. We found similar issues relating to the lack of clear cost presentation and\nvalidation of the CBSR data. However, we also noted that the information provided to the IRB\nand the process is improving after each meeting.\n\nThe GAO ITIM framework states that categorization of projects is a best practice and leads to\nbetter focus on what an entity needs. Also, comparing proposed initiatives across these\ncategories, as well as to those projects that have already been funded, is a critical process. The\nDepartment categorizes its IT initiatives into the following.\n\n       Business Process Support Systems\n       Program Delivery Systems\n       IT Infrastructure\n       IT Services\n       General Office Automation\n\n\n\n\nED-OIG/AO7-C0033                                                                              Page 9\n\x0cThe Department does not have defined processes or guidance for comparing IT initiatives across\nthe defined investment categories.\n\nAccording to GAO\xe2\x80\x99s ITIM framework, the investment management process should ensure that\nthe IRB collectively analyzes and compares all investments and proposals to select those that\nbest fit with the strategic business direction, needs, and priorities of the organization. The\nDepartment has not instituted a process to ensure that IT investment proposals include complete,\nsummary level, life-cycle cost information; nor that the IRB analyzes and compares all\ninvestments and proposals as a whole package/project within its defined categories of\ninvestments and between those categories. Therefore, the IRB may be making investment\ndecisions without considering the entire cost of a project or without evaluating competing\nprojects in other categories of investment. The IRB also may be making decisions inconsistent\nwith the Department\xe2\x80\x99s IT goals.\n\nRecommendations\n\nEstablishing foundational processes for project-level control and selection processes is necessary\nto develop a mature investment management capability. We recommend that the Department\nCIO ensure that\n\n2.1    IT investment proposals include summary, high-level, life-cycle CBSR estimates.\n\n2.2    IT investment proposals include total life-cycle cost estimates, including security, GPEA,\n       and all other associated costs.\n\n2.3    CBSR data provided in each IT investment proposal is validated.\n\n2.4    Defined processes or guidance for comparing IT initiatives across the defined investment\n       categories are developed and implemented.\n\n\n\n\nED-OIG/AO7-C0033                                                                          Page 10\n\x0cFinding 3 \xe2\x80\x93 The Department Lacks an Investment Management Practice to\n           Continually Assess Proposed and Ongoing Projects\n\n\n\nAccording to GAO, 11 the second major step toward effective investment management is to\ncontinually assess proposed and ongoing projects as an integrated and competing set of\ninvestment options. This portfolio management approach would enable an organization to\nconsider the relative costs, benefits, and risks of new and previously funded investments and\nthereby identify the mix that best meets its mission, strategies, and goals. The Department has\nnot implemented processes associated with managing investments as a complete portfolio.12\nSpecifically, the Department has not implemented an investment management practice to\ncontinually assess proposed and ongoing projects as an integrated and competing set of\ninvestment options \xe2\x80\x93 a core element in stage three of GAO\xe2\x80\x99s maturity framework. As a result,\nthe Department\xe2\x80\x99s IRB may not be able to adequately assess the relative merits of investment\nproposals and make trade-offs among competing options.\n\nAccording to the ITIM framework, the IRB should be responsible for monitoring each\ninvestment\xe2\x80\x99s progress to ensure that each IT investment decision achieves its CBSR\nexpectations. These investment (and portfolio) expectations are the baseline for periodic\nperformance reviews that examine the costs incurred, the benefits attained, the current schedule,\nand the risks mitigated, eliminated, or accepted to date. We found, in a couple of the most recent\nsubmissions to the IRB (March 2003), that the Department had begun to track investments to the\ninitial cost and schedule milestones. However, where differences were noted, we found little\nevidence of corrective action required or taken. In addition, although the Department requests\nupdated CBSR information to review the status of prior IRB approved projects, it has not\nimplemented a process or procedure to use the updated information to compare both proposed\nand ongoing IT investments in order to determine priorities and to make decisions about what\nprojects to fund based on their relative costs, benefits, schedule, and risks.\n\nWithout processes in place to obtain and use updated CBSR information to compare both\nproposed and ongoing investments, the Department has limited investment control capabilities.\nAs such, the Department is unable to assess and make trade-offs about the relative merits of\nspending funds to develop new systems, enhance current systems, or continue operating and\n\n11\n   Information Technology: INS Needs to Strengthen Its Investment Management Capability (GAO-01-146),\nDecember 2002.\n12\n   Meaning an integrated, enterprise-wide collection of investments.\n\nED-OIG/AO7-C0033                                                                                   Page 11\n\x0cmaintaining existing systems, which could result in investment decisions inconsistent with the\nDepartment\xe2\x80\x99s goals.\n\nRecommendations\n\nEstablishing processes for continually assessing proposed and ongoing projects is necessary to\ndevelop a mature investment management capability. We recommend that the Department CIO\n\n3.1    Ensure that the status of prior IRB approved projects are tracked and compared to initial\n       baseline performance measures, and corrective action taken, where appropriate; and\n\n3.2    Develop a process or implement an investment management practice to continually\n       assess proposed and ongoing projects as an integrated and competing set of investment\n       options.\n\n\n\nThe Department\xe2\x80\x99s Comments\n\nThe Department generally concurred with our findings and recommendations and stated that\nimprovements had already been made and incorporated in its most current IT Investment\nManagement (ITIM) process. In addition, the Department\xe2\x80\x99s response indicated that it had\nalready implemented many of the audit\xe2\x80\x99s recommendations, but acknowledged that there was\nstill an opportunity for improvement by ensuring the practices are consistently applied. The\nDepartment\xe2\x80\x99s full response is attached to this report.\n\n\n\n\nED-OIG/AO7-C0033                                                                         Page 12\n\x0c             Audit of Capital Planning and Investment Management\n\n                                               Background\n\n\nEach year the Department invests hundreds of millions of dollars on IT systems and activities.\nAccording to the Department\xe2\x80\x99s FY 2004 Exhibit 53 (budget documents), in FY 2002, it obligated\nabout $383.4 million on its total IT investment portfolio. In FY 2003, the Department expects to\nobligate about $400 million on its total IT investment portfolio. In FY 2004, the Department\nplans to spend about $417.3 million on its total IT investment portfolio.\n\nIn September 2002, we reported that the Department did not have an enterprise architecture (or\nagency-wide blueprint) to guide the development of its new and the evolution of its existing\ninformation systems.13 An enterprise architecture is a Clinger-Cohen Act requirement and a\npractice of successful public and private sector organizations. Our report recognized the\nDepartment\xe2\x80\x99s progress in developing an enterprise architecture, indicating that the Department\nhad completed its current architecture and was beginning to develop its target architecture. Until\nthe Department has such an architecture, it will not be able to ensure that the hundreds of\nmillions of dollars it spends each year on new and existing information systems will optimally\nsupport mission needs. We recommended that the Department complete the development of its\nenterprise architecture, including the target architecture and a plan for moving from the current\nto the target architecture.\n\nThe Clinger-Cohen Act was enacted to address longstanding problems related to federal IT\nmanagement. Among other things, it requires agency heads to implement a process for\nmaximizing the value and assessing and managing the risks of its acquisitions. A key goal of the\nClinger-Cohen Act is that agencies have processes and information in place to help ensure that\nIT projects are being implemented at acceptable costs, within reasonable and expected time\nframes, and are contributing to tangible, observable, improvements in mission performance.\n\nIn April 2002, the Department reorganized its investment review process and established a single\nDepartment-level Investment Review Board (IRB) consistent with GAO\xe2\x80\x99s guidance14. The\nDepartment has slowly implement its reorganized investment review process. As of the date of\nour review, the IRB had met 3 times \xe2\x80\x93 July 2002, December 2002, and March 2003.\n\n\n\n13\n     Audit of Enterprise Architecture, Final Audit Report, dated September 30, 2002 (ED-OIG/A07-C0001).\n14\n     Prior to April 2002, the Department and FSA had separate investment review processes.\n\nED-OIG/AO7-C0033                                                                                          Page 13\n\x0c        Audit of Capital Planning and Investment Management\n\n\n                       Objective, Scope, and Methodology\n\n\nThe objective of our review was to assess the status of the Department\xe2\x80\x99s compliance with the\nClinger-Cohen Act requirements for capital planning and investment management. Specifically,\nwe determined whether Department\xe2\x80\x99s investment review process ensured that 1) information\ntechnology (IT) investment decisions were consistent with the enterprise architecture, currently\nunder development; 2) costs and benefits of each investment were fully considered in\ndetermining which projects to fund; and 3) costs and benefits of all IT investments were\nadequately tracked and considered in determining the mix of projects funded for the\nDepartment\xe2\x80\x99s overall investment portfolio.\n\nTo accomplish our objective, we reviewed applicable Department policies and procedures, as\nwell as laws, regulations, and agency guidelines addressing capital planning and investment\nmanagement. We obtained and reviewed the documentation of the Department\xe2\x80\x99s charter for its\nInvestment Review Board (IRB). We obtained background budget information on the amount\nthe Department obligates and expects to spend on IT investments for FYs 2002 through 2004.\nWe interviewed personnel from the Department\xe2\x80\x99s and FSA\xe2\x80\x99s CIO offices.\n\nWe reviewed prior OIG audit reports, along with GAO reports, applicable to systems and capital\nplanning and investment management issues. We evaluated the Department\xe2\x80\x99s efforts to date\nusing GAO\xe2\x80\x99s \xe2\x80\x9cInformation Technology Investment Management\xe2\x80\x9d (ITIM) framework. We\nlimited this evaluation to the Department\xe2\x80\x99s progress in developing mature investment\nmanagement processes \xe2\x80\x93 Stages 2 and 3 of GAO\xe2\x80\x99s ITIM maturity framework. We also limited\nthe evaluation to the scope of our review, which did not include all critical processes and\nassociated steps within Stages 2 and 3. We began with the 2001 IT Capital Planning &\nInvestment Management Process Assessment Results performed by Booz-Allen and Hamilton,\nInc., dated January 16, 2001, updating that assessment with any noted progress made based on\nour review of documentation, discussions with Department personnel, and review of business\ncases and PIRWG summaries (see Appendix I). We did not perform a complete Capability\nMaturity Model review of the Department\xe2\x80\x99s investment management processes.\n\nWe reviewed all 47 business cases presented to the Department\xe2\x80\x99s IRB for FYs 2003 and 2004.\nWe limited our review to the most recent fiscal years because the Department reorganized its\ninvestment review process in April 2002 and we had information related to business cases\n\nED-OIG/AO7-C0033                                                                        Page 14\n\x0capproved under the prior process from our previous work in a related area.15 We did not perform\na reliability assessment because we did not use computerized data to meet our assignment\nobjectives.\n\nWe conducted work at the Department\xe2\x80\x99s and FSA\xe2\x80\x99s CIO offices in Washington, D.C. and our\nOIG office in Kansas City, MO, during the period October 2002 to June 2003. We held an exit\nconference with Department and FSA officials on June 26, 2003. Our audit was performed in\naccordance with generally accepted government auditing standards appropriate to the scope of\nthe review.\n\n\n\n\n15\n Audit of FSA Modernization Partner Agreement, Final Audit Report, dated November 20, 2002 (ED-OIG/A07-\nB0008).\n\nED-OIG/AO7-C0033                                                                                 Page 15\n\x0c        Audit of Capital Planning and Investment Management\n\n\n                      Statement on Management Controls\n\n\nAs part of our review, we gained an understanding of the Department\xe2\x80\x99s management control\nstructure applicable to the scope of this review. For purposes of this review, we assessed and\nclassified the significant management controls related to the Department\xe2\x80\x99s information\ntechnology efforts into the planning and assessment activities over the Department\xe2\x80\x99s capital\nplanning and investment management. The assessment also included a determination of whether\nthe processes used by the Department provided a reasonable level of assurance of compliance\nwith the Clinger-Cohen Act.\n\nBecause of inherent limitations, and the limited nature of our review, a study and evaluation\nmade for the limited purpose described above would not necessarily disclose material\nweaknesses in the management control structure. However, our assessment identified\nweaknesses in the Department\xe2\x80\x99s investment management processes as set out in the Audit Results\nsection of this report.\n\n\n\n\nED-OIG/AO7-C0033                                                                      Page 16\n\x0c\x0c\x0cAUDIT OF CAPITAL PLANNING AND INVESTMENT MANAGEMENT.\nED-OIG/A07-C0033\n\nFinding 1 \xe2\x80\x93 The Department has Limited Processes to Ensure Investments\nare Consistent with its Target Architecture.\n\nRecommendations:\n\n1.1     That the Department CIO: Formalize the Department\xe2\x80\x99s review process for\n        IT investment compliance with its EA through written procedures\n        delineating review responsibilities between groups.\n\n1.2.     That the EAWG: Provide a high-level summary of whether the new\n        initiative is supported by the current architecture or whether the\n        architecture or the initiative needs to be changed in order to assist the IRB\n        in its evaluation of competing investment initiatives; and\n\n1.3     As the information becomes available on the Department\xe2\x80\x99s target\n        architecture, incorporate it into the review of EA compliance.\n\nProposed Action Items:\n\n1.1.1 Develop and use in the FY 2004 Select Phase, a set of written procedures\n      that formalizes the Department\xe2\x80\x99s review process for IT investment\n      compliance with the Enterprise Architecture. The written procedures will\n      delineate review responsibilities. Planned completion date: 3/31/2004\n\n1.2.1 For the FY 2004 Select Phase the Enterprise Architecture Working Group\n      will provide, for each new initiative, a high-level summary of how the\n      initiative is supported by the current architecture and whether the\n      architecture or the initiative needs to be changed in order to assist the IRB\n      in its evaluation of competing investment initiatives. Planned completion\n      date: 8/31/2004\n\n1.3.1    As information becomes available on the Department\xe2\x80\x99s target\n        architecture, the Enterprise Architecture Working Group will use it in the\n        review of significant investments. Planned completion date: 8/31/2004\n\nFinding 2 \xe2\x80\x93 The Department has not implemented Necessary Processes to\nEnsure Project-level Control and Selection.\n\nRecommendations. That the CIO ensure that:\n\n2.1 IT investment proposals include summary, high-level, life-cycle cost, benefit,\n    schedule and risk (CBSR) estimates.\n\n\n                                          1\n\x0c2.2 IT investment proposals include total life-cycle estimates, including security,\n    GPEA, and all other associated costs.\n\n2.3 CBSR data provided in each IT investment proposal is validated.\n\n2.4 Defined processes or guidance for comparing IT initiatives across the\n    defined investment categories are developed and implemented.\n\nProposed Action Items:\n\n2.1.1 In the FY 2004 Select Phase, each significant IT investment proposal will\n     include summary, high-level, life-cycle cost, benefit, and risk estimates.\n     Planned completion date: 8/31/2004\n\n2.2.1 In the FY 2004 Select Phase, each significant IT investment proposal will\n     include improved life-cycle estimates, including security and other\n     appropriate costs. Planned completion date: 8/31/2004\n\n2.3.1 In the FY 2004 Select Phase, the ITIM process will include a\n     reasonableness review of the CBSR data for each significant IT investment\n     proposal. Planned completion date: 8/31/2004\n\n2.4.1 For the FY 2004 Select Phase, defined procedures for comparing IT\n     initiatives across the defined investment categories will be developed and\n     implemented. The defined investment categories are: Business Process\n     Support Systems; Program Delivery Systems; IT Infrastructure; IT Services;\n     General Office Automation. Planned completion date: 3/31/2004\n\nFinding 3 \xe2\x80\x93 The Department Lacks an Investment Management Practice to\nContinually Assess Proposed and Ongoing Projects\n\nRecommendations. That the Department CIO:\n\n3.1    Ensure that the status of prior IRB approved projects are tracked and\n      compared to initial baseline performance measures, and corrective action\n      taken, where appropriate; and\n\n3.2 Develop a process or implement an investment management practice to\n    continually assess proposed and ongoing projects as an integrated and\n    competing set of investments.\n\n\n\n\n                                         2\n\x0cProposed Action Items:\n\n3.1.1 Beginning with the FY 2004 Select Phase, all of the IRB approved projects\n     will be tracked and compared to initial or updated baseline performance\n     measures. Corrective actions will be directed by the IRB as appropriate.\n     Planned completion date: 8/31/2004\n\n\n3.1.2 Improve the investment management practice of continually assessing\n     proposed and ongoing initiatives as an integrated and competing set of\n     investment options in coordination with Action Item 3.1.1. Planned\n     completion date: 8/31/2004\n\n\n\n\n                                       3\n\x0c"